Social Engineering: Not all hacking is done in front of a keyboard
One of my favourite scenes in the recently concluded series of “Mr Robot” is a discussion regarding hacking into a data centre called ‘Steel Mountain’. The team are huddled around a CCTV of the front of the building discussing all of its security protocols and features, all aimed at protecting its secrets. They eventually conclude that it is impossible as there are no vulnerabilities. Elliot Alderson, the protagonist, turns to his team and announces that he can see at least seven vulnerabilities, his team look confused until he points out the people in the vicinity. One of my favourite cartoons of recent years is a drawing of a boxing ring, in one corner we have firewalls, anti-virus software, malware scanners and in the other corner we have Dave the user. People are part of any security equation and its a pitfall to forget that.
Social Engineering (according to Wikipedia) has been defined as “any act that influences a person to take an action that may or may not be in their best interests.” Simply put it is the psychological manipulation to either extract information or to get someone to perform a task that benefits the engineer. To illustrate that last point, once again making reference to the “Mr Robot” TV series, one episode features one of the characters spreading around USB drives containing malware in the hope that the target will pick one up and plug it into their laptops, which someone eventually does.
You may well be familiar with the Nigerian Gold Scams (sometimes referred to as a 419* scam) which rose to prominence around 2006 (although the first example of this apparently dates back to late 18th century when it was called the ‘Spanish Prisoner’). In this, you would receive an email (or letter) requesting help and in return for your aid you would be paid a significant amount of money or similar reward. The kicker is that you have pay out a sum initially to facilitate some service that is needed to get the larger sum of money released, once this is complete you are then promised to receive your pay-out shortly thereafter. These became so well known that they would come to be mocked on comedy shows such as Saturday Night Live.
*419 refers to the part of the Nigerian Criminal Code that deals with Fraud.
In the early days these fraud’s were relatively easy to spot, due to the poor spelling/English of the documentation but they have become increasingly sophisticated, often replicating official emails complete with graphics and links to valid sites that seem valid but bely a more nefarious purpose. Another popular tactic is cold-calling people and telling them their Broadband (or some other similar service such as Netflix) is going to be ended unless they pay a ‘bill’, quite often they will prey on those who might not know any better.
As an IT support company we say the best defence is always going to user awareness/education (such as not writing your password on a post-it underneath your keyboard), not opening suspicious attachments or clicking on strange URL’s or venturing potentially sensitive information to a stranger no matter how potentially viable their credentials are. There’s a reason British Gas ran a series of ads a while ago that basically boiled down to ‘check their ID and if in doubt call the office’. Going back to the randomly scattered USB drives earlier, you can block access to USB ports on Laptops/desktops or use a third-party application to only allow approved devices to connect. These days criminals might value your personal data more than your money, you may be targeted for your login credentials or other parts of your overall identity more than your bank pin.
As they used to say in the TV series ‘Hustle’, there are three simple rules:
“If it looks too good to be true then it probably is!”
“You can’t con an honest man.”
“Don’t be a mark.”